Today the mobile network operator O2 announced that it suffered a security breach. The breach occurred in the summer of 2011 when O2’s IT provider IBM lost a backup tape. O2 was made aware of the loss this summer an in their press release say they have been working with the Data Protection Commissioner’s office since. The press release from O2 states that the tape “had been misplaced” and that “While the tape remains unaccounted for it is possible that the tape has simply been misplaced within an otherwise secure location in O2.”

The release goes onto highlight that the tape itself was used mostly for backing up internal data belonging to O2 and that “it is possible that it could contain some personal data, it is more likely that it simply contained information about O2’s normal business affairs and company information”

After reading the release there are a number of issues that it raises in my mind, in no particular order they are;

• Why does O2 not know what was on the tape? Most backup systems have a logfile or record of what data was backed up.  It seems strange to me that there is no record as to what data was, and was not, backed up onto the tape.
• Why was the tape not encrypted? Copying data onto a tape means at some stage that data can be read back from the tape. This means anyone with the same type of tape drive and software can restore the data.  If that data is not encrypted then anyone with that equipment can restore and read the data. If the data is encrypted then even restoring it from tape makes it unaccessible to those without the proper access.
• Why did it take IBM so long, nearly a year, to notify O2 about the loss of the tape?
• Why did O2 take so long to notify customers of the potential data loss? Their press release states they were aware of the loss in July of this year, however it took 5 months to notify customers.  Under the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (SI 336 of 2011) specific obligations are placed on on providers of publicly available electronic communications networks or services to safeguard the security of their services. O2 as a telecommunications provider would come under these regulations.  In particular under the above regulations O2 is obliged in the “case of a personal data security breach affecting even one individual, providers of publicly available electronic communications networks or services must without undue delay:
  • notify the Office of the Data Protection Commissioner of the breach (even in circumstances where it considers the data would be unintelligible to third parties) including a description of the measures to be taken to address the breach; and
  • notify any individual that may be adversely affected by the breach. services

Within the press release O2 highlight minimises the breach by saying “it is possible that it could contain some personal data, it is more likely that it simply contained information about O2’s normal business affairs and company information.” So while the risk to customer data may be low it should be noted that information about its “normal business affairs” could also be highly sensitive.

As I have said before one of the important things in incident response is to learn from the incident. This applies not just to incidents in your own environment but also incidents in other organisations. The key lessons from this incident I see are;

• Make sure you catalogue what data you back up.
• Store those catalogue that data securely so you can reference it at a later date.
• Have an inventory of your backup media and regular check that inventory to make sure items are not missing or “misplaced” Encrypt your backups. This should apply to all data you backup and not just data that falls under the Data Protection Act.
• Regularly restore your data to ensure your backups are working as designed and that you can access the data.
• Securely dispose of old backup media when no longer required.